Skip to content

Commit 9f52529

Browse files
ntindlentindle
committed
Add security, accessibility, and performance CI workflows
Introduce GitHub Actions workflows for security (CodeQL, SAST, secret scanning), accessibility (Axe, Pa11y, color contrast), and performance (Lighthouse, bundle analysis, memory leak detection). Add configuration files for Dependabot, Lighthouse, and update README badges and documentation to reflect new CI checks. Minor update to codecov.yml for boolean value.
1 parent ec7ff27 commit 9f52529

File tree

9 files changed

+738
-2
lines changed

9 files changed

+738
-2
lines changed

.github/SECURITY.md

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
# Security Policy
2+
3+
## Overview
4+
5+
This is a web application deployed continuously from the main branch. We take security seriously and address vulnerabilities as soon as they are discovered.
6+
7+
## Reporting a Vulnerability
8+
9+
We take the security of our software seriously. If you believe you have found a security vulnerability, please report it to us as described below.
10+
11+
### Please do NOT:
12+
- Open a public GitHub issue
13+
- Post on social media
14+
- Disclose the vulnerability publicly before we've had a chance to fix it
15+
16+
### Please DO:
17+
- Email us at: [Create a security advisory](https://github.com/ntindle/gridfinity-space-optimizer/security/advisories/new)
18+
- Provide detailed steps to reproduce the issue
19+
- Include the impact of the issue
20+
- Suggest a fix if you have one
21+
22+
### What to expect:
23+
- **Response Time**: We'll acknowledge receipt within 48 days
24+
- **Updates**: We'll provide updates at least every 72 days
25+
- **Fix Timeline**: We aim to release a fix within 7-14 days depending on complexity
26+
- **Disclosure**: We'll coordinate public disclosure with you
27+
28+
## Security Measures
29+
30+
### Code Security
31+
- All code is scanned using CodeQL and multiple SAST tools
32+
- Dependencies are regularly audited for vulnerabilities
33+
- Automated security checks on all pull requests
34+
35+
### Dependency Management
36+
- Weekly automated dependency audits
37+
- Snyk monitoring for real-time vulnerability detection
38+
- Automated PR creation for security updates
39+
40+
### Build Security
41+
- CI/CD pipelines run in isolated environments
42+
- No secrets stored in code
43+
- Environment variables used for sensitive configuration
44+
45+
## Security Tools in Use
46+
47+
- **CodeQL**: Semantic code analysis
48+
- **Semgrep**: Static analysis security scanner
49+
- **Snyk**: Dependency and container vulnerability scanning
50+
- **Trivy**: Comprehensive vulnerability scanner
51+
- **Gitleaks**: Secret detection in git repos
52+
- **TruffleHog**: Credential verification scanner
53+
- **npm audit**: Node.js dependency auditing
54+
55+
## Best Practices for Contributors
56+
57+
1. **Never commit secrets**: API keys, passwords, tokens
58+
2. **Validate input**: Always validate and sanitize user input
59+
3. **Use parameterized queries**: Prevent injection attacks
60+
4. **Implement proper authentication**: Use secure session management
61+
5. **Keep dependencies updated**: Regularly update packages
62+
6. **Follow secure coding guidelines**: OWASP Top 10
63+
64+
## Automated Security Checks
65+
66+
Every pull request undergoes:
67+
- Static Application Security Testing (SAST)
68+
- Dependency vulnerability scanning
69+
- Secret detection scanning
70+
- Code quality and security review
71+
- License compliance checking
72+
73+
## Contact
74+
75+
For security concerns, please use GitHub's security advisory feature or contact the maintainers directly through secure channels.
76+
77+
---
78+
79+
*This security policy is regularly reviewed and updated. Last update: Current*

.github/codecov.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
codecov:
2-
require_ci_to_pass: yes
2+
require_ci_to_pass: true
33
notify:
44
wait_for_ci: true
55

.github/dependabot.yml

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
version: 2
2+
updates:
3+
# Enable version updates for npm
4+
- package-ecosystem: "npm"
5+
directory: "/"
6+
schedule:
7+
interval: "weekly"
8+
day: "monday"
9+
time: "04:00"
10+
open-pull-requests-limit: 10
11+
reviewers:
12+
- "ntindle"
13+
labels:
14+
- "dependencies"
15+
- "npm"
16+
commit-message:
17+
prefix: "chore"
18+
prefix-development: "chore"
19+
include: "scope"
20+
ignore:
21+
# Ignore major version updates for these packages
22+
- dependency-name: "react"
23+
update-types: ["version-update:semver-major"]
24+
- dependency-name: "react-dom"
25+
update-types: ["version-update:semver-major"]
26+
groups:
27+
# Group all development dependencies together
28+
dev-dependencies:
29+
patterns:
30+
- "*"
31+
dependency-type: "development"
32+
# Group all production dependencies together
33+
production-dependencies:
34+
patterns:
35+
- "*"
36+
dependency-type: "production"
37+
# Group ESLint and related packages
38+
eslint:
39+
patterns:
40+
- "eslint*"
41+
- "@typescript-eslint/*"
42+
# Group testing packages
43+
testing:
44+
patterns:
45+
- "vitest*"
46+
- "@testing-library/*"
47+
# Group Radix UI packages
48+
radix-ui:
49+
patterns:
50+
- "@radix-ui/*"
51+
52+
# Enable version updates for GitHub Actions
53+
- package-ecosystem: "github-actions"
54+
directory: "/"
55+
schedule:
56+
interval: "weekly"
57+
day: "monday"
58+
time: "04:00"
59+
labels:
60+
- "dependencies"
61+
- "github-actions"
62+
commit-message:
63+
prefix: "ci"
64+
include: "scope"

.github/workflows/accessibility.yml

Lines changed: 170 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,170 @@
1+
name: Accessibility Tests
2+
3+
on:
4+
push:
5+
branches: [main, dev]
6+
pull_request:
7+
branches: [main, dev]
8+
9+
jobs:
10+
axe-accessibility:
11+
name: Axe Accessibility Testing
12+
runs-on: ubuntu-latest
13+
14+
steps:
15+
- name: Checkout code
16+
uses: actions/checkout@v4
17+
18+
- name: Setup Node.js
19+
uses: actions/setup-node@v4
20+
with:
21+
node-version: '20.x'
22+
cache: 'npm'
23+
24+
- name: Install dependencies
25+
run: |
26+
npm ci
27+
npm install --save-dev @axe-core/cli puppeteer
28+
29+
- name: Build application
30+
run: npm run build
31+
32+
- name: Serve application
33+
run: |
34+
npx serve -s dist -p 3000 &
35+
sleep 5
36+
37+
- name: Run Axe accessibility tests
38+
run: |
39+
npx axe http://localhost:3000 \
40+
--dir ./axe-reports \
41+
--save \
42+
--timeout 30000 \
43+
--tags wcag2a,wcag2aa,wcag21a,wcag21aa \
44+
--show-errors
45+
continue-on-error: true
46+
47+
- name: Generate accessibility report
48+
if: always()
49+
run: |
50+
echo "## ♿ Accessibility Report" >> $GITHUB_STEP_SUMMARY
51+
echo "" >> $GITHUB_STEP_SUMMARY
52+
53+
if [ -f "./axe-reports/index.json" ]; then
54+
# Parse the JSON report and create summary
55+
echo "### Axe-core Results" >> $GITHUB_STEP_SUMMARY
56+
echo "" >> $GITHUB_STEP_SUMMARY
57+
58+
# Check if there are violations
59+
violations=$(cat ./axe-reports/index.json | grep -o '"violations":\[\]' || true)
60+
if [ -n "$violations" ]; then
61+
echo "✅ No accessibility violations found!" >> $GITHUB_STEP_SUMMARY
62+
else
63+
echo "⚠️ Accessibility issues detected. Check the detailed report." >> $GITHUB_STEP_SUMMARY
64+
fi
65+
else
66+
echo "❌ Accessibility test failed to generate report" >> $GITHUB_STEP_SUMMARY
67+
fi
68+
69+
echo "" >> $GITHUB_STEP_SUMMARY
70+
echo "### Standards Tested" >> $GITHUB_STEP_SUMMARY
71+
echo "- WCAG 2.0 Level A" >> $GITHUB_STEP_SUMMARY
72+
echo "- WCAG 2.0 Level AA" >> $GITHUB_STEP_SUMMARY
73+
echo "- WCAG 2.1 Level A" >> $GITHUB_STEP_SUMMARY
74+
echo "- WCAG 2.1 Level AA" >> $GITHUB_STEP_SUMMARY
75+
76+
- name: Upload accessibility reports
77+
if: always()
78+
uses: actions/upload-artifact@v4
79+
with:
80+
name: accessibility-reports
81+
path: axe-reports/
82+
retention-days: 30
83+
84+
pa11y-accessibility:
85+
name: Pa11y Accessibility Testing
86+
runs-on: ubuntu-latest
87+
88+
steps:
89+
- name: Checkout code
90+
uses: actions/checkout@v4
91+
92+
- name: Setup Node.js
93+
uses: actions/setup-node@v4
94+
with:
95+
node-version: '20.x'
96+
cache: 'npm'
97+
98+
- name: Install dependencies
99+
run: |
100+
npm ci
101+
npm install --save-dev pa11y pa11y-ci
102+
103+
- name: Build application
104+
run: npm run build
105+
106+
- name: Create Pa11y config
107+
run: |
108+
cat > .pa11yci.json << 'EOF'
109+
{
110+
"defaults": {
111+
"timeout": 30000,
112+
"wait": 1000,
113+
"standard": "WCAG2AA",
114+
"runners": ["axe", "htmlcs"],
115+
"chromeLaunchConfig": {
116+
"args": ["--no-sandbox", "--disable-setuid-sandbox"]
117+
}
118+
},
119+
"urls": [
120+
{
121+
"url": "http://localhost:3000",
122+
"actions": [
123+
"wait for element #root to be visible"
124+
]
125+
}
126+
]
127+
}
128+
EOF
129+
130+
- name: Serve application
131+
run: |
132+
npx serve -s dist -p 3000 &
133+
sleep 5
134+
135+
- name: Run Pa11y tests
136+
run: npx pa11y-ci --config .pa11yci.json --json > pa11y-results.json
137+
continue-on-error: true
138+
139+
- name: Upload Pa11y results
140+
if: always()
141+
uses: actions/upload-artifact@v4
142+
with:
143+
name: pa11y-results
144+
path: pa11y-results.json
145+
retention-days: 30
146+
147+
color-contrast:
148+
name: Color Contrast Testing
149+
runs-on: ubuntu-latest
150+
151+
steps:
152+
- name: Checkout code
153+
uses: actions/checkout@v4
154+
155+
- name: Check color contrast in CSS
156+
run: |
157+
echo "## 🎨 Color Contrast Report" >> $GITHUB_STEP_SUMMARY
158+
echo "" >> $GITHUB_STEP_SUMMARY
159+
echo "Checking for potential color contrast issues..." >> $GITHUB_STEP_SUMMARY
160+
echo "" >> $GITHUB_STEP_SUMMARY
161+
162+
# Check for common low-contrast color combinations
163+
if grep -r "color:.*#[89abcdef]{3,6}" src/ --include="*.css" --include="*.tsx" --include="*.ts"; then
164+
echo "⚠️ Found potentially low-contrast color values" >> $GITHUB_STEP_SUMMARY
165+
else
166+
echo "✅ No obvious low-contrast issues detected" >> $GITHUB_STEP_SUMMARY
167+
fi
168+
169+
echo "" >> $GITHUB_STEP_SUMMARY
170+
echo "Note: Full contrast testing is performed by Axe and Pa11y" >> $GITHUB_STEP_SUMMARY

.github/workflows/codeql.yml

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
name: CodeQL
2+
3+
on:
4+
push:
5+
branches: [main, dev]
6+
pull_request:
7+
branches: [main, dev]
8+
schedule:
9+
# Run at 3 AM UTC every Tuesday
10+
- cron: '0 3 * * 2'
11+
12+
jobs:
13+
analyze:
14+
name: Analyze
15+
runs-on: ubuntu-latest
16+
permissions:
17+
actions: read
18+
contents: read
19+
security-events: write
20+
21+
strategy:
22+
fail-fast: false
23+
matrix:
24+
language: ['javascript', 'typescript']
25+
26+
steps:
27+
- name: Checkout repository
28+
uses: actions/checkout@v4
29+
30+
- name: Initialize CodeQL
31+
uses: github/codeql-action/init@v3
32+
with:
33+
languages: ${{ matrix.language }}
34+
queries: security-extended,security-and-quality
35+
36+
- name: Setup Node.js
37+
uses: actions/setup-node@v4
38+
with:
39+
node-version: '20.x'
40+
cache: 'npm'
41+
42+
- name: Install dependencies
43+
run: npm ci
44+
45+
- name: Build application
46+
run: npm run build
47+
48+
- name: Perform CodeQL Analysis
49+
uses: github/codeql-action/analyze@v3
50+
with:
51+
category: "/language:${{matrix.language}}"
52+
53+
- name: Upload SARIF results
54+
if: always()
55+
uses: github/codeql-action/upload-sarif@v3
56+
with:
57+
sarif_file: ${{ runner.workspace }}/results
58+
59+
- name: Generate Security Report
60+
if: always()
61+
run: |
62+
echo "## Security Analysis Report 🔒" >> $GITHUB_STEP_SUMMARY
63+
echo "" >> $GITHUB_STEP_SUMMARY
64+
echo "### CodeQL Analysis for ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY
65+
echo "" >> $GITHUB_STEP_SUMMARY
66+
echo "✅ Analysis completed for language: ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY
67+
echo "" >> $GITHUB_STEP_SUMMARY
68+
echo "View detailed results in the Security tab of this repository." >> $GITHUB_STEP_SUMMARY

0 commit comments

Comments
 (0)